Software as a Service (SaaS) is a software distribution model that allows cloud providers to host applications and make them available to end users over the Internet. In some cases, software vendors contract with a third-party cloud provider to host their applications. In other cases, a large enterprise like Microsoft might perform both roles—the cloud provider and the software vendor.
SaaS works through a cloud delivery model. The application can be accessed from any device connected to the network, typically via a web browser. A major advantage of the SaaS model is that SaaS users do not need to set up and maintain software. SaaS also eliminates upfront expenditure for software, allowing users to access the software on-demand and pay a monthly subscription fee or be billed according to actual usage.
However, SaaS applications are open to the Internet by default, and so they raise serious security concerns. An innocent security misconfiguration in a SaaS application—for example, an employee making a folder openly accessible with no authentication—can have disastrous consequences. In addition, attackers are discovering that SaaS applications are highly valuable to organizations and often have weak security defenses, and they are becoming an attractive target.
SaaS Security Concerns
As organizations increasingly rely on SaaS applications for mission critical business processes, security issues are a growing concern. According to one estimate, threats to cloud services are growing at a rate of 630% year over year.
Some of the threats facing SaaS are unique to cloud environments. For example, SaaS applications are commonly exposed to the Internet, meaning that attackers can easily connect to them. Vulnerabilities in a SaaS application can be easily exploited, because attackers do not need to penetrate a secure network perimeter.
Here are some of the key security concerns for SaaS applications:
- Insecure configuration—even if a SaaS application offers robust security controls, these controls must be configured properly to be effective. For example, an employee can create sensitive data in a SaaS application and allow anyone to access it without authentication.
- Cross-Site Scripting (XSS)—because SaaS applications are accessed via the web, they are often vulnerable to XSS, a vulnerability that affects a majority of web applications. This type of attack involves injecting malicious code into a page displayed by the end user.
- Insider threats—accidental or deliberate acts by employees or contractors can also pose a security risk to SaaS applications. Insider threats can perform credential theft, theft of sensitive data, and sabotage of data and systems in the cloud.
- Identity theft—SaaS user accounts can contain sensitive data including payment details, contact details, credentials, and personal details. By compromising a SaaS user account, attackers gain access to this sensitive data.
- Insufficient monitoring—like any critical IT system, SaaS applications must be closely monitored for anomalous activity. Many SaaS applications are considered outside the scope of an organization’s IT and security teams, and there is often a misconception that the cloud provider is responsible for security.
- Compliance requirements—most organizations are subject to industry standards or regulations—such as GDPR for data protection, HIPAA for healthcare, and PCI-DSS for retail online payments. Each standard has its own data protection requirements, and SaaS applications must meet compliance requirements just like any other IT system.
SaaS Security Best Practices
The following best practices can help you enhance security for your SaaS applications.
Consider SaaS Security Posture Management (SSPM)
SaaS Security Posture Management (SSPM) is a new type of security platform that reduces the potential for data breaches and unauthorized access to enterprise SaaS applications.
SSPM tools provide visibility over SaaS application configuration and help manage the security fabric of your SaaS environment. They perform continuous monitoring of your organization’s SaaS applications, detecting issues like failure to set secure configurations, excessive privileges, and security vulnerabilities.
SSPM platforms identify gaps between a company’s security policies and the actual security mechanisms defined across a company’s SaaS applications. It not only detect misconfigurations but can also provide remediation guidance, and in some cases, remediate security issues automatically. In addition, SSPM can help an organization remain compliant with standards like CIS benchmarks, SOC 2, and PCI DSS.
Make Data Encryption Mandatory
Typically, SaaS applications use secure communication channels, protected with Transport Layer Security (TLS) to secure data in transit. However, stored data is just as vulnerable to cyberattacks. As a result, more and more SaaS providers offer encryption to protect data at rest. Check with providers to ensure that all SaaS applications enable strong encryption for data at all stages of its lifecycle.
Configure Automated Backups
In a crisis, not having immediate access to data backups can be detrimental to any business. Therefore, configuring automatic backups is a part of any SaaS security checklist. Setting up an automated process to create backups on a regular basis doesn’t take much time and effort, but is one of the most important disaster recovery methods, because an organization depends on business continuity of its critical systems.
Safety training for all employees is essential. For example, an organization must educate employees on the dangers of account sharing, the importance of maintaining strong passwords, and how to identify and avoid falling prey to phishing and scams.
Raising security awareness can help combat social engineering, which is used in virtually all cyber attacks. It is a proactive security measure that ensures employees have up-to-date knowledge about security threats and the organization’s security policies.
Adopt a Secure Software Development Lifecycle (SDLC)
Many organizations not only use SaaS applications but also customize them, develop extensions, or even build their own SaaS offerings.
Because SaaS security is an ongoing process, security activities must be established throughout the software development lifecycle. These activities include secure coding practices, vulnerability analysis, and penetration testing to enhance and complement existing security controls. This requires development teams to add security as an important concern at every stage of development—from planning through to development, testing, and deployment.
In this article, I explained the basics of SaaS security, covered the key threats facing SaaS applications—including insecure configuration, insider threats and identity theft, and provided several best practices that can help you secure your applications:
- Leverage SaaS Security Posture Management (SSPM) platforms which can provide visibility and control over security in large-scale SaaS deployments.
- Use data encryption both for data in transit and at rest, and avoid using SaaS providers that don’t support encryption.
- Configure automated backups to ensure all data in a SaaS application can be recovered in case of a disaster.
- Educate employees about security practices to make your workforce resilient to social engineering.
- Adopt a Secure Software Development Lifecycle (SDLC) for teams developing code for SaaS applications, to ensure they “shift left” and bake in security from the start.
I hope this will be useful as you evaluate and improve the security of your SaaS portfolio.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.